Choose from the alphabetic list below to learn about a method. See also Finding methods

by function. The Call, Branch, Collect, Java, Queue, and Rule operations are technically

"instructions", not methods. For information on these instructions, see:

      BRANCH  — Branching to another activity 

      CALL —   Calling another activity

   COLLECT — Begin execution of a collection rule

   FLOW-NEW — Start a flow execution

      JAVA —   Using Java in an activity step

   QUEUE —   Execute another activity asynchronously

      RULE  — Using the Rule instruction to implement a custom rule type

  A

Method Description

Activity-Clear-Status Reset the method status from the previous method.

Activity-End End the current activity and calling activities.

Activity-List-Add Add an activity to an internal dispatch list.

Activity-Set-Status Set a return value.

Apply-DataTransform Update property values based on a data transform rule.

Apply-Parse-Delimited Execute a Parse Delimited rule in an activity.

Apply-Parse-Structured

Execute a Parse Structured rule in an activity.

Apply-Parse-XML Execute a Parse XML rule in an activity.

Assert-No-Invocation Exclude this activity from invocation counting for license compliance.

  C

Commit Commit all database changes in the Thread.

Connect-dotNet

Start a connector to a Web service based on the Microsoft .NET framework.

Connect-EJB Start a connector to an external Enterprise JavaBean.

Connect-File Start a connector to write to a file.

Connect-FTP Copy a file from one location to another using File Transfer Protocol

Connect-HTTP

Start a connector to an external system using HTTP.

Connect-Java Start a connector to call an external Java class or JavaBean.

Connect-JCA Start a connector to an external system through a JCA resource adapter.

Connect-JMS Start a connector to an external system using the Java Message Service application programmer interface.

Connect-MQ Start a connector for a WebSphere MQ connection.

Connect-SOAP

Start a connector to invoke a Web service.

Connect-Wait Block (pause) for a time interval to synchronize with a child requestor.

  E F H L M

End-Validate End compilation of referencing rules, for a custom rule type.

Exit-Activity End the current activity.

Flow-End End a flow execution.

Flow-New Start a new flow execution.

History-Add Record your changes to work items or activities

History-List List instances of a class.

Link-Objects Link objects together.

Log-Message Add a message to the Pega log.

Map-Structured Parse or assemble a fixed format data structure.

  O

Obj-Browse Search through and select instances of a class based on tests of values of exposed columns.

Obj-Delete Delete an instance from the database, or mark it for later deletion with the Commit method

Obj-Delete-By-Handle Delete an instance from the database (or mark it for later deletion) using the handle.

Obj-Filter Remove embedded pages of a Code-Pega-List results page that fail to meet criteria specified in a when condition rule.

Obj-List Search through instances of a class and extract selected properties.

Obj-List-View Execute the retrieval and sorting operations of a list view rule, but with no formatting or HTML display.

Obj-Open Open an instance stored in the PegaRULES database or in certain cases an external database.

Obj-Open-by-Handle Open an instance using a permanent unique key.

Obj-Refresh-and-Lock Open an instance and acquire a lock.

Obj-Save Save page data to the database, or mark it for saving (commit) later.

Obj-Save-Cancel Reverse a previous Obj-Save or Obj-Delete method, not yet committed to the database.

Obj-Set-Tickets Set or reset tickets, interrupting the normal sequential processing of a flow.

Obj-Sort Sort the values of a property of mode Page List.

Obj-Validate Run a Validate rule on a set of properties, typically representing user input.

  P

Page-Change-Class Change the class of a page.

Page-Clear-Messages Remove page messages from the step page.

Page-Copy Copy contents of one page to another page

Page-Merge-Into Merge two or more pages into one page.

Page-New Create a page.

Page-Remove Delete a page from the clipboard.

Page-Rename Rename a page or name a primary page

Page-Set-Messages Associate a message with a page.

Page-Unlock Release a lock held after Commit.

Page-Validate Validates all properties on a page.

Parse-Byte-Pos Used only in Parse Structured rules.

Parse-Char-Pos Used only in Parse Structured rules.

Parse-Fixed-Binary Used only in Parse Structured rules.

Parse-Packed-Decimal Used only in Parse Structured rules.

Privilege-Check Determine whether a user or requestor has a specified privilege.

Property-Map-DecisionTable

Evaluate a decision table rule and assign the result to a property

Property-Map-DecisionTree Evaluate a decision tree rule and assign the result to a property.

Property-Map-Value Set the value of a property based on a one-dimensional map value rule.

Property-Map-ValuePair Set the value of a property based on a two-dimensional map value rule.

Property-Ref Link reference properties with non-reference properties.

Property-Remove Delete a property from a page.

Property-Seek-Value Use backward chaining to obtain a value.

Property-Set Set the value of one or more specified properties

Property-Set-Corr Save the contents of a correspondence stream as the value of a property.

Property-Set-HTML Save the contents of an HTML stream as the value of a property.

Property-Set-Messages Associate a literal text message with a property or a step page.

Property-Set-Stream Save the contents of a JSP, XML, or HTML stream as the value of a property.

Property-Set-XML Save the contents of an XML stream as the value of a property.

Property-Validate Apply an edit validate rule to test user input.

  Q R

Queue-for-Agent Enqueue a System-Queue- derived clipboard page into the system queue for background processing.

RDB-Delete Delete an instance from a relational database.

RDB-List Retrieve rows from an external relational database.

RDB-Open Open an instance from an external relational database.

RDB-Save Save the contents of a clipboard page to a relational database.

Requestor-Stop Stop processing of the requestor.

Rollback Cancel any uncommitted database save operations.

  S T W

Method Description

Show-HTML Assemble and send an HTML page to a user's browser.

Show-Page Send an XML representation of a page to the browser.

Show-Property Send a single property value to the browser.

Show-Stream Apply stream processing to a JSP, HTML, correspondence, or XML Stream rule.

Start-Validate Compile referencing rules for a custom rule type.

StringBuffer-Append

Manipulate string buffer containing local variables.

StringBuffer-Insert

Manipulate string buffer containing local variables.

StringBuffer-Reset

Manipulate string buffer containing local variables.

TaskStatus-Set Convey results of activity processing to a calling flow.

Text-Infer Evaluate a parse infer rule.

Text-Normalize Evaluate a parse normalize rule.

Thread-Clear Clear the thread page.

Wait Pause a Thread for a specified time interval.

Best Practice 2: Filter all inputs

Filter and validate input data as thoroughly as possible, including inputs submitted from

browser forms, inputs from service requests (such as email), and inputs from connector

responses. Prevent invalid data from entering a work object or a work object attachment.

Use the following features to validate individual values:

Strong types — For Single Value, Value List and Value Group properties, select the Property Type carefully. Use Integer, Double, Decimal, DateTime, Date, TimeofDay, and TrueFalsewhen appropriate (rather than Text, Password or Identifier). Special characters that are common in JavaScript code — such as quotes — can never appear in a numeric, date or time value, but may legitimately appear in Text, Password, or Identifier value.

White lists — Several features let you constrain a property value to one of a fixed list or pattern of values, including the property table edits (Local List, Field Values, Class Key values) on theGeneral tab in V5.5+ or the Table Edit tab in earlier releases.

Restrictions — Complete the Max Length field for Text, Password or Identifier fields. For example, it is difficult to fit a malicious JavaScript program into a small number of characters.

Not declarative —Select the Cannot be a Declarative Target check box if applicable. (This is a weak measure, but helpful; since a declarative expression could assemble a JavaScript source code.)

Special properties —Select the Cannot be included as an input field check box if the property is always computed from other values. (This also is a weak measure, but helpful.)

Validation — Identify an edit input rule and an edit validate rule when possible. Don't accept angle brackets, quotes, ampersand, or other special characters in fields unless necessary for a sound business reason For example, the standard validation rule isLetterorDigit limits values to hold only letters and digits. (On the V5.5 Property form, Max Length and validation fields appear on theAdvanced tab.)

Use map value rules, validation rules, and constraints rules to validate inputs.

To test arriving email attachments or other file attachments for software viruses and malicious JavaScripts, override the extension point activity Data-WorkAttach-File.CallVirusCheck with an activity that calls your third-party virus software. Your activity can call a Java class or (in a Microsoft Windows server) a Dynamic Linked Library routine.

Ensure that files uploaded from application user workstations, and text files processed by a file listener, are virus-checked.

Input filtering is worthwhile even if an application has 100% coverage of output filtering for

the HTML that the application sends to a browser. Applications often send output to other

systems — rather than to a browser — that could contain a malicious JavaScript function,

such as an HTML-rendered email message. Infecting another system — which may belong

to another department, to a customer, or to a supplier — is a security failure no less serious

than infecting an application user.

Do not disable this security feature.

Avoid use of the URL JSP tag in handcrafted stream rules. If you must use a URL tag, call the Safe URL JavaScript functions to obfuscate the URL query string.

Examples

Below are portions of hand-crafted stream rules that are modified to filter a value using

these two PublicAPI functions in an inline Java scriptlet:

Incorrect

  <%tools.appendString(tools.getActiveValue()); %>

Correct

   <%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>

or

  <%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue()));%>

Incorrect

  <%tools.appendString(tools.getSaveValue("savename”)); %>

Correct

 <pega:reference name=$save(savename) />

or

 <%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename”))); %>

or

 <%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savename”))); %>

Incorrect

   <%tools.appendString(tools.getParamValue("paramname")); %>

Correct

 

 <pega:reference name=param.paramname/>

or

 <%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>

or

<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramname"))); %>